pam_yubico for ssh on CentOS 7


rpm -ivh

Install pam_yubico:

yum install -y pam_yubico

Set selinux boolean to permit sshd to make http connects:

setsebool -P authlogin_yubikey 1

Configure pam: (/etc/pam.d/sshd)

auth    required
auth       substack     password-auth
auth       include      postlogin
# Yubikey authentication
auth       required id=16
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    optional force revoke
session    include      password-auth
session    include      postlogin

Create ~/.yubico/authorized_yubikeys and put your username and yubikey id code in:


Edit /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

Reload sshd:

systemctl reload sshd